Acceleration of Statistical Detection

of

Zero-Day Malware in the Memory

Dump Using CUDA-Enabled GPU

HardwareIgor Korkin, Ph.D. Iwan Nesterow

Independent Researchers2016

Agenda

1. Motivation

2. Analysis of drawbacks of drivers detection

3. HighStem prototype

4. Drivers detection in the memory by separating code from data

5. GPU & CPU powered dump analysis

5-year cyber espionage attack

69 countries were attacked

Sensitive data were collected from hundreds of victims*https://securelist.com/blog/incidents/57647/the-red-october-campaign/

Well-targeted Well-prepared

― Uses 0-day exploits

― Contains fake digital certificates

― Applies anti-forensics tricks

Modern malware in modern world

Havex malware

+20% rise of incidents

Detection becomes too time-consuming

BlackEnergy trojan

BlackEnergy used fake digital certificates

(on the right hand side) and also notice how the expiration date of the certificate

is set to 2040Certificate from the legal file

Certificate from the

BlackEnergy trojan

http://malware-unplugged.blogspot.ru/2016/02/blackout-memory-analysis-of-blackenergy.html

Inside modern malware & its detection

driverdropper

exploitPC was OK

AVs issue updateMalware is deleted

PC is OK again

infection phase

Hackers improve malware

Warn users early

Cross-view drivers detection

# Drivers list made by Example of the lists content Vulnerable

1 A built-in tool, e.g.ZwQuerySystemInformation yes

2 An expert Hope not

How to get the 2nd list of drivers?

• Match the contents of two lists of drivers:

A B C, ,

1 , , ,2 3 4

Warn about a suspicious

driver

Original memory After a new ‘driver C’ is loaded

Using updates in the memory content as a source for drivers detection

Driver A Driver B Driver CDriver A Driver B

Ways to detect:o linkso signatureso statistics

Two updates:• new structures

• new file driver

Classification of drivers detection

The ways to detect drivers

Using drivers structures

Using the content of the drivers files

Classification of drivers detection

The ways to detect drivers

Using drivers structures

Using the content of the drivers files

Based on the links between structures

Signature-based scanning of drivers structures

Classification of drivers detection

The ways to detect drivers

Using drivers structures

Using the content of the drivers files

Based on the links between structures

Signature-based scanning of drivers structures

Signature-based detection

Statistical-based detection

50 80100

8050 10

A.sys B.sys C.sys

Get a drivers list using links Overcome detection by unlinking

Detect drivers using drivers listsDrivers list names Name of structure

PsLoadedModuleList KLDR_DATA_TABLE_ENTRY ObjectDirectory DRIVER_OBJECT Service record list by SCM SERVICE_RECORD Threads from ‘System’ ETHREAD Recently unloaded drivers UNLOADED_DRIVERS

50 80100

5080 10

Get a list using structs signatures Overwrite fields to hide structure

Apply byte-to-byte scanning usingstructures signatures to detect drivers

Type of structures signature Examples of signatures and structures

Pool-tagby ExAllocatePoolWithTag

KLDR_DATA_TABLE_ENTRY DRIVER_OBJECT SERVICE_RECORD

Bytes fragments(fields-based signatures)

50 80100

5080 10

MmLd MmLd MmLd

B8

04

B8

04

B8

04

50 80100

5080 10

MmLd NULL MmLd

B8

04

FF

00

B8

04

03 28 871B 05 5601 01 E4

03 28 841B 05 B0E4 E4 E4

03 28 841B 05 B018 18 E4

03 281B 05

E4--

-

-

Structure Signature

03 28 851B 05 78

12 E412

* ADFSL’14

“MmLd”“Driv”“sErv”

What do we still have in the memory?

Driver A

Header

Import Address table

Code section(executable)

Header

Import Address table

Code section(executable)

Driver B

Header

Import Address table

Code section(executable)

Hidden Driver C

How to find PE-files in the memory?

Driver as a PE-file includes:

PE-file features

CountermeasuresType of signature Examples

ASCII Strings‘MZ’ , ‘PE’ ,

‘This program cannot be run in DOS mode’ Data overwriting

ASCII Strings ‘ZwOpenFile’

Bytes combination(prologue &

epilogue)

8BFF MOV EDI,EDI55 PUSH EBP8BEC MOV EBP,ESP

8BE5 MOV ESP,EBP5D POP EBPC20400 RET 4

Code obfuscating & packing

Apply byte-to-byte scanning using features of PE-file to detect drivers

Header

Code section(executable)

Import Address table

What do we still have in the memory?

Driver A

Header

Import Address table

Code section(executable)

Header

Import Address table

Code section(executable)

Driver B

Header

Import Address table

Code section(executable)

Hidden Driver C

How to find code sections?

Using binary Entropy to separate data types

Definition: 𝑆=−∑𝑖=1

255

𝑝𝑖∗ log2𝑝𝑖

𝑝𝑖− h𝑡 𝑒 𝑓𝑟𝑒𝑞𝑢𝑒𝑛𝑐𝑦 𝑜𝑓 h𝑒𝑎𝑐 𝑏𝑦𝑡𝑒𝑣𝑎𝑙𝑢𝑒𝑖𝑛 h𝑡 𝑒 𝑓𝑖𝑙𝑒 .

Entropy

*Using Entropy Analysis to Find Encrypted and Packed Malware by R. Lyda & J. Hamrock

Plain text

Native exe

cutables

Packed exe

cutab

les

Encry

pted execu

tables

3

5

7

0

1

2

3

4

5

6

7

1 501 1001 1501 2001

Using sliding-window approach to locate executable code

Executable code with high entropy

Entr

opy

valu

es

Offsets

Window size is 256 byte

Overlap is 256 byte

E.g.

Colored diagram of memory dump via binvis

2x zooming

PE header of the driver file

Move down

Import table includes functions names

Overcome

entropy

analysis

Its vulnerability

An idea to overcome entropy analysis &

its vulnerabilityOriginal code

with high entropyInsert blocks to decrease entropy

blocks with zero entropy

Locate data blocks using byte histogram:

It is also susceptible!

97 97 97 97 97

31 31 31 31 31

67 67 67 67 67

Zeus

Tro

jan

All detection methods are vulnerable

Let’s consider the most difficult case for detection - HighStem

The ways to detect drivers Anti-forensic technique

Using drivers structures

Using links between structures Unlinking

Signature-based scanning Overwriting

Using content of drivers files

Signature-based scanning Overwriting & PE packing

Statistical-based detection Inserting data blocks

Highest Stealth Malware (HighStem) imitates the most difficult case for

detection1. Apply Atsiv or Turla Driver Loader to load a HighStem driver2. Collect data without OS function:

3. Improve Zeus manipulation:

kbdhid.sys → DEVICE_EXTENSION →KEYBOARD_ATTRIBUTES

or/and

Insert data blocks

with low entropy

A B C

AB

CSpread code

fragments...

Read keystrokes from the memory

Blockswith zero

entropy

How to reveal all parts of diluted executable?

• Calculate entropy using smaller window size

AB

C...

AB

C...

Apply digital photogrammetry to locate a code

HEADER

CODE

CODE

CODE

IMPO

RT

*Lower Manhattan, November of 2000 by AirPhotoUSA

Analyze the disassembly code

A

...C

B

A B C

push %ebp mov %esp,%ebp push %ecx sub $0x4,%esp movl $0x80484b0,(%esp) call 80482f4 mov $0x0,%eax

1

2

3

4

1

2

3

Apply Zipf-Mandelbrot

law

2

# of

occ

urre

nces

Zipf Law=const,

Zipf-Mandelbrot law

Word rank

*Zipf, Human behavior and the principle of least efforts Mandelbrot, An information theory of the statisticalstructure of languages

Zipf-Mandelbrot lawFrom linguistics to disassembly

listings

Graphics card - a powerful computing unit in a PC

PCI-e Bus

CPU & RAM:• 32 cores on CPU• 16 GB/s bus speed• 8-16 GB of RAM

~0,6 Teraflops

Graphics card:• 1536 cores on GPU• 130 GB/s bus speed• 4 GB of RAM

>1 Teraflops

Graphics card with itsown processors & memory

16 GB/s

16 GB/s

16 GB/s

*GeForce GTX 980M*Intel i7-6785R, launch date Q2'16

• We tested drivers detector from the paper ‘Applying memory forensics to rootkit detection’ ADFSL’2014, Richmond, VA

• GPU works efficiently on 128-byte size coalesced memory• GPU operates much slower on distinct memory fragments

Porting issues of common sliding-window algorithm to GPU

Sliding-window algorithm

(on DRIVER_OBJECT structure,

164 byte block)

Local data processing with coalesced memory accesses

Processing of data, which is located out the window block(e.g. dereferencing pointers)

Hybrid GPU & CPU architecture for common sliding-window algorithm

processingDecomposition task

Local block processing

GPU

Dump file

Out of the block

processing

CPU & RAM

Aggregation task

Shared memory with preliminary

results

Dump file43

1

2

0 200 400 600 8000

100

200

300

400

500

600

700

Speeding up memory forensics by CUDA-enabled GPU hardware

Dura

tion,

sec

Dump size, Mb

only CPU,Intel i7-4870HQ

GPU & CPUGeForce GTX 980M

Conclusions

• Prototype of the most hidden code – a HighStem

• Ideas to locate executable code

• Using CUDA to speed up memory dump analysis

#1: MemoryMon monitors memory changes to track programs activities

in real time•

• MemoryMon

#1: MemoryMon monitors memory changes to track programs activities

in real time•

Monitoring & controlling kernel-mode events by HyperPlatform by Satoshi Tanda @standa_t and Igor Korkin, REcon 2016.

• MemoryMon scenarios:

• Details:

Case 2

Suspicious Driver

?Write

Other Drivers

Case 1

Sensitive Data Unknown

driver

Driver A?Read

Read

Write

#2: Apply virtual reality headset for digital forensics investigations

by Oculus

by Samsung

http://www.pocket-lint.com/news/134352-vuzix-iwear-720-a-vr-headset-that-s-like-putting-a-130-inch-tv-in-front-of-your-face

‘It's like watching a 130-inch television screen from 10 feet away’*

Thank you!

• igor.korkin@gmail.com